WelcomeUser Guide
ToSPrivacyCanary
DonateBugsLicense

©2024 Poal.co

925

You may have noticed that nitter.net's SSL certificate expired last night. You may also have noticed that your browser no longer gives you the option to temporarily add an exception for the website.

This change is (supposedly) intended to increase internet security, by preventing people from visiting spoofed websites. I guess I understand; most normies won't read the pop-up and will just bypass the security mismatch. I'd be unsurprised if a few got caught by DNS exploits or drive-bys.

Thing is, this means that if you're unable to obtain a PKI certificate for your website, or if some government invalidates your certificate, you've been effectively censored off the internet. You could put up a plain http server, but then all communications and all URLs visited can be logged by an outsider.

Right now, chrome has a "secret" bypass for the behavior; click on the background of the warning page, type "thisisunsafe" on the keyboard, then reload, and you can get on. Firefox has no such bypass.

Let's please put some pressure on web browser developers to revert this new behavior.

You may have noticed that nitter.net's SSL certificate expired last night. You may also have noticed that your browser no longer gives you the option to temporarily add an exception for the website. This change is (supposedly) intended to increase internet security, by preventing people from visiting spoofed websites. I guess I understand; most normies won't read the pop-up and will just bypass the security mismatch. I'd be unsurprised if a few got caught by DNS exploits or drive-bys. Thing is, this means that if you're unable to obtain a PKI certificate for your website, or if some government invalidates your certificate, you've been effectively censored off the internet. You could put up a plain http server, but then all communications and all URLs visited can be logged by an outsider. Right now, chrome has a "secret" bypass for the behavior; click on the background of the warning page, type "thisisunsafe" on the keyboard, then reload, and you can get on. Firefox has no such bypass. Let's please put some pressure on web browser developers to revert this new behavior.

(post is archived)

You are currently inside a comment thread.
Click here to see all the comments (13).
[–] 1 pt

I was once implementing a library called nopoll I believe for websocket use, and I was tasked with setting up our own certificates and making sure it was all actually secure.

I made my own certificates locally to test. Nopoll, like all / many other treats "self signed" differently as ca signed. HOWEVER what was shocking and obviously a deliberately left out SERIOUS SECURITY HOLE was that even if your cert was ca signed it wouldn't actually test to confirm it was legit.

So you could make your own ca for your own cert, use that cert and then nopoll would act like it was more secure than self signed without checking it what so ever. You had to give an extra flag in nopoll for it to actually check the ca.

It made me wonder how many other browsers / libraries etc are allowing this self signed as non self signed cert security hole. Basically this hole literally allows the middleman attack they are censoring sites claiming they are protecting you from.

[–] 1 pt

Note that a lot of antivirus software that scans web pages inserts a special CA into your browser, in order to MITM the connection and see what's going over the wire protocol. And yes, it's a huge potential security hole.

[–] 0 pt

A lot of corporate firewalls do this too. Their machines all have a corporate root certificate installed and they use that to spoof the CA for whatever domain you're visiting so they can MITM whatever you're visiting from the corporate network.